Presentation is loading. Please wait.

Presentation is loading. Please wait.

Current Issues: Cloud Computing Services

Published byRandolph Arnold Modified over 8 years ago

Similar presentations

Presentation on theme: "Current Issues: Cloud Computing Services"— Presentation transcript:

1 Current Issues: Cloud Computing Services

2 The “Cloud” is the default symbol of the Internet in diagrams.
Cloud Computing Definition… Cloud Computing The broader term of “Computing” encompasses: Computation Coordination logic Storage The “Cloud” is the default symbol of the Internet in diagrams. Cloud Computing is about moving computing from the single desktop pc/data centers to commercial service providers on the Internet.

3 The Next Revolution in IT The Big Switch in IT
Classical Computing Buy & Own Hardware, System Software, Applications often to meet peak needs. Install, Configure, Test, Verify Manage .. Finally, use it $$$$....$(High CapEx) Cloud Computing Subscribe Use $ - pay for what you use, based on QoS Every 18 months?

4 Cloud Computing Essential characteristics: Extras
On-demand self service Broad network access Resource pooling Rapid elasticity Measured service Extras Pay-per-use SLA Distribution

5 Cloud Computing Deployment models
Public Clouds: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Private Clouds: The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Community Clouds: Available to members of a community. Hybrid Clouds: Composition of the above models.

6 Cloud Computing Advantages: No capacity planning No upfront commitment
Elastic infrastructure Ease of management

7 Cloud Computing Service Models
What do we make available through Internet? Office Applications, CRM, , Media, Gaming Applications & Services SalesForce.com Google Docs SaaS Development Platforms, Runtime environments for applications, APIs Heroku Microsoft Azure PaaS Development Platform Virtual servers, virtual storage, and networking Amazon EC2, S3 Joyent, Rightscale IaaS Infrastructure

8 Impact of cloud computing on the governance structure of IT organizations

9 Cloud Computing Threats… and negative sides?
Security & Confidentiality Performance Vendor lock-in Where is my data? Who owns it? Who has access to this information? Is the cloud really fast? Can the cloud be efficient for my applications? Can it deliver the performance I paid for? Can I afford to move to a proprietary platform? Are there any standards?

10 Intro to SaaS - Definition
Software as a service (SaaS) is a model of software delivery where the software company provides maintenance, daily technical operation, and support for the software provided to their client. It assumes the software is delivered over the internet. Software delivered to home consumers, small business, medium and large business

11 Intro to SaaS The web as a platform is the center point
Web-browser acting as a thin-client for accessing the software remotely across the internet. Network-based access to, and management of, commercially available (i.e., not custom) software application delivery that typically is closer to a one-to-many model (single instance, multi-tenant architecture) than to a one-to-one model, including architecture, pricing, partnering, and management characteristics The web’s current success mostly thanks to the bandwidth technologies. opening the doors for companies to do things they could not before we had companies trying to do Saas like Corel w/ WordPerfect Dumb terminals, back to the mainframe Not custom software that would open the doors for trying to please everyone custom software means things are more tightly coupled

12 SaaS - Pros Stay focused on business processes
Change software to an Operating Expense instead of a Capital Purchase, making better accounting and budgeting sense. Create a consistent application environment for all users No concerns for cross platform support Easy Access Lower Cost For an affordable monthly subscription Implementation fees are significantly lower Continuous Technology Enhancements Create a consistent application environment for all users through access to the same versions – compatibility – Implementation fees are significantly lower than purchasing proprietary software and hardware.

13 SaaS - Cons Initial time needed for licensing and agreements
Trust, or the lack thereof, is the number one factor blocking the adoption of software as a service (SaaS). Centralized control Possible erosion of customer privacy Absence of disconnected use Another mitigating factor is need for disconnected use. Many users, such as traveling salespeople, need access to data while offline. Some apps have synchonization

14 SaaS Architecture Fueled by Bandwidth technologies
The cost of a PC has been reduced significantly with more powerful computing but the cost of application software has not followed Timely and expensive setup and maintenance costs Licensing issues for business are contributing significantly to the use of illegal software and piracy. The bigger the hard drives the bigger the applications get Cost of software has stayed the same or gotten higher Even some small to medium companies are using pirated software cause they cannot afford it I worked for a company that only installed products like huge Accounting packages as consultants. Made lots of cash due to long days to setup package

15 High-Level Architecture
There are three key differentiators that separate a well-designed SaaS application from a poorly designed one scalable multi-tenant-efficient configurable Scaling the application - maximizing concurrency, and using application resources more efficiently i.e. optimizing locking duration, statelessness, sharing pooled resources such as threads and network connections, caching reference data, and partitioning large databases. A well-designed SaaS application is scalable, multi-tenant-efficient, and configurable.

16 High-Level Architecture (con’t)
Multi-tenancy – important architectural shift from designing isolated, single-tenant applications One application instance must be able to accommodate users from multiple other companies at the same time All transparent to any of the users. This requires an architecture that maximizes the sharing of resources across tenants is still able to differentiate data belonging to different customers. - may be the most significant paradigm shift that an architect accustomed to designing isolated, single-tenant applications has to make. - when a user at one company accesses customer information by using a CRM application service, the application instance that the user connects to may be accommodating users from dozens, or even hundreds, of other companies

17 High-Level Architecture (con’t)
Configurable - a single application instance on a single server has to accommodate users from several different companies at once To customize the application for one customer will change the application for other customers as well. Traditionally customizing an application would mean code changes Each customer uses metadata to configure the way the application appears and behaves for its users. Customers configuring applications must be simple and easy without incurring extra development or operation costs a single application instance on a single server has to accommodate users from several different companies at once, writing custom code to customize for the application for one end-user will change the application for other customers as well. Instead of customizing the application in the traditional sense, each customer uses metadata to configure the way the application appears and behaves for its users. The challenge for the SaaS architect is to ensure that the task of configuring applications is simple and easy for the customers, without incurring extra development or operation costs for each configuration.

18 Saas Financials 4 ways software companies are pricing their products
Open Source – free basic products but charge a fee for the upgrade to the premium product (i.e. Apache, Linux, etc) License software – main way its being done. Customer like this way because they own the software as an asset Leased Software – deployed at customer site but leased for a time period. Used in the days of the mainframe SaaS – subscription pricing. Like leasing is considered and expense but upgrades and maintenance is free and seamless 1. This is not a new thing since companies have been doing this for a while like adobe and hotmail ) 2. Downfall – sometimes forced to upgrade (no support for older versions) …can get expensive 3. Not around a lot anymore. Leased software is not capitalized and is considered an expense 4. Upgrade happened at host site…analyst believe 25% of all software will use this model in the next 5 years

19 Saas Financials (con’t)
Legal should be involved in the acquisition of mission-critical SaaS software Companies are losing control of their data in the SaaS model Depending on the service provider for security and data access. Need to setup contractual relationship with the SaaS provider Setup escrow account With conditions of being able to run application in house Ability to move data from current provider to new location Also Service Level Agreements (SLAs) for Availability, response times, notifications of outages Data integrity, data privacy, frequency of backup, support and disaster recovery loss of support by the SaaS provider means not only the loss of the application functionality but access to all of the proprietary data along with it. Escrow generally refers to the placing of property which is the subject of a commercial transaction (money, title deeds, software source code, etc.,) into the hands of a trusted third party for safekeeping – does not have to be the provider going under i.e. rim law suit The article mentioned that the decision was similar to buying or leasing a car or real estate. Cars and Real estate are not similar. Real estate have more tendency to appreciate Opportunity cost of using the money for investments instead of purchasing the software outright There are so many factors in determining if one should lease or buy that you should use and accoutant … each company is different

20 If cloud computing is so great, why isn’t everyone doing it?
The cloud acts as a big black box, nothing inside the cloud is visible to the clients Clients have no idea or control over what happens inside a cloud Even if the cloud provider is honest, it can have malicious system admins who can tamper with the VMs and violate confidentiality and integrity Clouds are still subject to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks

21 Companies are still afraid to use clouds

22 Causes of Problems Associated with Cloud Computing
Most security problems stem from: Loss of control Lack of trust (mechanisms) Multi-tenancy These problems exist mainly in 3rd party management models Self-managed clouds still have security issues, but not related to above Data mobility: the ability to share data between cloud services Where does data reside? - out-of-state, out-of-country issues Security Concerns for government in particular FISMA How to certify and accredit cloud computing providers under FISMA (e.g. ISO 27001) 22

23 Loss of Control in the Cloud
Consumer’s loss of control Data, applications, resources are located with provider User identity management is handled by the cloud User access control rules, security policies and enforcement are managed by the cloud provider Consumer relies on provider to ensure Data security and privacy Resource availability Monitoring and repairing of services/resources

24 Lack of Trust in the Cloud
trusting a third party requires taking risks Defining trust and risk Opposite sides of the same coin (J. Camp) People only trust when it pays (Economist’s view) Need for trust arises only in risky situations Chiles and McMakin (1996) define trust as increasing one’s vulnerability to the risk of opportunistic behavior of another whose behavior is not under one’s control in a situation in which the costs of violating the trust are greater than the benefits of upholding the trust. Trust here means mostly lack of accountability and verifiability

25 Multi-tenancy Issues in the Cloud
Conflict between tenants’ opposing goals Tenants share a pool of resources and have opposing goals How does multi-tenancy deal with conflict of interest? Can tenants get along together and ‘play nicely’ ? If they can’t, can we isolate them? How to provide separation between tenants? Cloud Computing brings new threats Multiple independent users share the same physical infrastructure Thus an attacker can legitimately be in the same physical machine as the target Who are my neighbors? What is their objective? They present another facet of risk and trust requirements

26 Taxonomy of Fear Confidentiality Integrity
Fear of loss of control over data Will the sensitive data stored on a cloud remain confidential? Will cloud compromises leak confidential client data Will the cloud provider itself be honest and won’t peek into the data? Integrity How do I know that the cloud provider is doing the computations correctly? How do I ensure that the cloud provider really stored my data without tampering with it?

27 Taxonomy of Fear (cont.)
Availability Will critical systems go down at the client, if the provider is attacked in a Denial of Service attack? What happens if cloud provider goes out of business? Would cloud scale well-enough? Often-voiced concern Although cloud providers argue their downtime compares well with cloud user’s own data centers

28 Taxonomy of Fear (cont.)
Privacy issues raised via massive data mining Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients Increased attack surface Entity outside the organization now stores and computes data, and so Attackers can now target the communication link between cloud provider and client Cloud provider employees can be phished

29 Taxonomy of Fear (cont.)
Auditability and forensics (out of control of data) Difficult to audit data held outside organization in a cloud Forensics also made difficult since now clients don’t maintain data locally Legal quagmire and transitive trust issues Who is responsible for complying with regulations? e.g., SOX, HIPAA, GLBA ? If cloud provider subcontracts to third party clouds, will the data still be secure?

30 Possible Solutions Minimize Lack of Trust Minimize Loss of Control
Policy Language Certification Minimize Loss of Control Monitoring Utilizing different clouds Access control management Identity Management (IDM) Minimize Multi-tenancy

31 Minimize Lack of Trust: Policy Language
Consumers have specific security needs but don’t have a say-so in how they are handled What the heck is the provider doing for me? Currently consumers cannot dictate their requirements to the provider (SLAs are one-sided) Standard language to convey one’s policies and expectations Agreed upon and upheld by both parties Standard language for representing SLAs Can be used in a intra-cloud environment to realize overarching security posture These SLAs typically state the high level policies of the provider (e.g. Will maintain uptime of 98%) and do not allow cloud consumers to dictate their requirements to the provider. COI clouds in particular have specific security policy requirements that must be met by the provider, due to the nature of COIs and the missions they are used for. These requirements need to be communicated to the provider and the provider needs to provide some way of stating that the requirements can be met. Cloud consumers and providers need a standard way of representing their security requirements and capabilities. Consumers also need a way to verify that the provided infrastructure and its purported security mechanisms meet the requirements stated in the consumer’s policy (proof of assertions). For example, if the consumer’s policy requires isolation of VMs, the provider can create an assertion statement that says it uses cache separation to support VM isolation.

32 Minimize Lack of Trust: Policy Language (Cont.)
Create policy language with the following characteristics: Machine-understandable (or at least processable), Easy to combine/merge and compare Examples of policy statements are, “requires isolation between VMs”, “requires geographical isolation between VMs”, “requires physical separation between other communities/tenants that are in the same industry,” etc. Need a validation tool to check that the policy created in the standard language correctly reflects the policy creator’s intentions (i.e. that the policy language is semantically equivalent to the user’s intentions).

33 Minimize Lack of Trust: Certification
Some form of reputable, independent, comparable assessment and description of security features and assurance Sarbanes-Oxley, DIACAP, DISTCAP, etc (are they sufficient for a cloud environment?) Risk assessment Performed by certified third parties Provides consumers with additional assurance

34 Minimize Loss of Control: Monitoring
Cloud consumer needs situational awareness for critical applications When underlying components fail, what is the effect of the failure to the mission logic What recovery measures can be taken (by provider and consumer) Requires an application-specific run-time monitoring and management tool for the consumer The cloud consumer and cloud provider have different views of the system Enable both the provider and tenants to monitor the components in the cloud that are under their control When the underlying components fail in the cloud, the effect of the failures to the mission logic needs to be known so that correct recovery measures can be performed. We propose an application-specific run-time monitoring and management tool. With this tool, the application logic can remain on the consumer’s host computer. This allows the consumer to centrally monitor all aspects of the application as well as data flow. Since all outputs from underlying services are sent to the application logic, any data incompatibility between services is not an issue. The capabilities of the run-time monitoring and management tool are as follows: 1) Enable application user to determine the status of the cloud resources that may be used to run the application (across multiple clouds), 2)  Enable application user to determine the real-time security posture and situational awareness of the application, 3) Provide the application user with the ability to move user’s application (or part of it) to another site (other VM in same cloud or different cloud altogether), 4) Provide the application user with the ability to change the application logic on the fly, 5) Provide communicate capabilities with cloud providers. There are a few cloud vendors such as NimSoft [41] and Hyperic [42] that provide application-specific monitoring tools that provide some of the above functionality. These monitoring tools may be further enhanced or used in conjunction with other tools to provide the degree of monitoring required. However, any tool that is to be used for military purposes must also receive some type of accreditation and certification procedure.

35 Minimize Loss of Control: Monitoring (Cont.)
Provide mechanisms that enable the provider to act on attacks he can handle. infrastructure remapping (create new or move existing fault domains) shutting down offending components or targets (and assisting tenants with porting if necessary Repairs Provide mechanisms that enable the consumer to act on attacks that he can handle (application-level monitoring). RAdAC (Risk-adaptable Access Control) VM porting with remote attestation of target physical host Provide ability to move the user’s application to another cloud

36 Minimize Loss of Control: Utilize Different Clouds
The concept of ‘Don’t put all your eggs in one basket’ Consumer may use services from different clouds through an intra-cloud or multi-cloud architecture Propose a multi-cloud or intra-cloud architecture in which consumers Spread the risk Increase redundancy (per-task or per-application) Increase chance of mission completion for critical applications Possible issues to consider: Policy incompatibility (combined, what is the overarching policy?) Data dependency between clouds Differing data semantics across clouds Knowing when to utilize the redundancy feature (monitoring technology) Is it worth it to spread your sensitive data across multiple clouds? Redundancy could increase risk of exposure Differering data semantics example: does a data item labeled secret in one cloud have the same semantics as another piece of data also labeled secret in a different cloud?

37 Minimize Multi-tenancy
Can’t really force the provider to accept less tenants Can try to increase isolation between tenants Strong isolation techniques (VPC to some degree) C.f. VM Side channel attacks (T. Ristenpart et al.) QoS requirements need to be met Policy specification Can try to increase trust in the tenants Who’s the insider, where’s the security boundary? Who can I trust? Use SLAs to enforce trusted behavior

38 Mitigating Data Loss Risks
The risk of data loss (as in the T-Mobile Sidekick case) is an exception to the availability discussion on the preceding slide. Users may be able to tolerate an occasional service interrup-tion, but non-recoverable data losses can kill a business. Most cloud computing services use distributed and replicated global file systems which are designed to insure that hardware failures (or even loss of an entire data center) will not result in any permanent data loss, but I believe there is still value in doing a traditional off site backup of one's data, whether that data is in use by traditional servers or cloud computing servers. When looking for solutions, make sure you find ones that backs up data FROM the cloud (many backup solutions are meant to backup local data TO the cloud!)

39 Choice of Cloud Provider
Cloud computing is a form of outsourcing, and you need a high level of trust in the entities you'll be partnering with. It may seem daunting at first to realize that your application depends (critically!) on the trustworthiness of your cloud providers, but this is not really anything new -- today, even if you're not using the cloud, you already rely on and trust: -- network service providers, -- hardware vendors, -- software vendors, -- service providers, -- data sources, etc. Your cloud provider will be just one more entity on that list.

40 Questions

Download ppt "Current Issues: Cloud Computing Services"

Similar presentations

Distributed Data Processing

Distributed Data Processing
Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.
Ed Duguid with subject: MACE Cloud

Ed Duguid with subject: MACE Cloud
Take your CMS to the cloud to lighten the load Brett Pollak Campus Web Office UC San Diego.

Take your CMS to the cloud to lighten the load Brett Pollak Campus Web Office UC San Diego.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 1 01/25/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 1 01/25/2010 Security and Privacy in Cloud Computing.
INTRODUCTION TO CLOUD COMPUTING CS 595 LECTURE 6 2/13/2015.

INTRODUCTION TO CLOUD COMPUTING CS 595 LECTURE 6 2/13/2015.
Software as a Service (SaaS) Does it make Cents? by Brian Moore.

Software as a Service (SaaS) Does it make Cents? by Brian Moore.
Bharat Bhargava Computer Science Purdue University Research in Cloud Computing YounSun Cho Computer Science Purdue.

Bharat Bhargava Computer Science Purdue University Research in Cloud Computing YounSun Cho Computer Science Purdue.
The Cloud: Demystified Neil Cattermull Frontier Technology.

The Cloud: Demystified Neil Cattermull Frontier Technology.
CLOUD PRIVACY AND SECURITY CS 595 LECTURE 15 4/15/2015.

CLOUD PRIVACY AND SECURITY CS 595 LECTURE 15 4/15/2015.
Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.

Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.
SaaS, PaaS & TaaS By: Raza Usmani

SaaS, PaaS & TaaS By: Raza Usmani
SPRING 2011 CLOUD COMPUTING Cloud Computing San José State University Computer Architecture (CS 147) Professor Sin-Min Lee Presentation by Vladimir Serdyukov.

SPRING 2011 CLOUD COMPUTING Cloud Computing San José State University Computer Architecture (CS 147) Professor Sin-Min Lee Presentation by Vladimir Serdyukov.
Security Issues in Cloud Computing

Security Issues in Cloud Computing
1. 2 New Computing Models, and What They Mean to the Small and Mid Sized Business Consumer How your business can make practical decisions between “The.

1. 2 New Computing Models, and What They Mean to the Small and Mid Sized Business Consumer How your business can make practical decisions between “The.
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Cloud computing Tahani aljehani.

Cloud computing Tahani aljehani.
Duncan Fraiser, Adam Gambrell, Lisa Schalk, Emily Williams

Duncan Fraiser, Adam Gambrell, Lisa Schalk, Emily Williams
Chapter-7 Introduction to Cloud Computing Cloud Computing.

Chapter-7 Introduction to Cloud Computing Cloud Computing.

Similar presentations

Ads by Google